Qilin

Threat Actor updated 13 days ago (2024-11-08T13:22:53.705Z)

Download STIX

Preview STIX

Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to launch more sophisticated attacks. Notably, Qilin has demonstrated its potency through a successful attack on automotive giant Yanfeng using its namesake ransomware. Furthermore, researchers have discovered a new variant of the Qilin ransomware, dubbed Qilin.B, that exhibits advanced encryption techniques and enhanced defense evasion capabilities, targeting both Windows and Linux systems for double extortion schemes. Qilin's operations are multifaceted and often involve partnerships with initial access brokers (IABs) to execute their attacks. In one observed case, the Qilin ransomware gang breached its target via a VPN portal, demonstrating their advanced tactics. Despite this, the group has not been without setbacks. The rise of RansomHub seems to have come at the expense of LockBit, which had three times more successful attacks than Qilin in the second quarter. However, the fortunes of Qilin appear to be improving as they continue to expand their reach and improve their tactics. The group has also faced legal challenges. In August, Synnovis obtained a preliminary injunction from the English High Court against the Qilin ransomware group, Telegram, and a leak site to prevent the publication of stolen data. Following this injunction, Telegram blocked the channel used by Qilin to leak the data stolen from victims. Despite these obstacles, Qilin continues to pose a significant threat, as evidenced by an incident in June where the group published stolen data on its Tor leak site. As such, organizations must remain vigilant and proactive in their cybersecurity efforts to counteract the evolving threat posed by Qilin.

Description last updated: 2024-10-29T20:12:48.378Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ransomhub is a possible alias for Qilin. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campai	3
Octo Tempest is a possible alias for Qilin. Octo Tempest, also known as Scattered Spider, is a prominent threat actor in the cybersecurity landscape. This group has rapidly gained notoriety in the ransomware domain by incorporating RansomHub and Qilin ransomware into its arsenal, significantly enhancing its ability to compromise systems and n	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Extortion

RaaS

Malware

Linux

Credentials

Ransom

Encryption

Chrome

Vpn

Data Leak

Cybercrime

Phishing

Windows

Esxi

Rust

Nhs

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Qilin. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	4
The Black Basta Malware is associated with Qilin. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	2
The Hive Malware is associated with Qilin. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Qilin. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB	Unspecified	3
The Bianlian Threat Actor is associated with Qilin. BianLian is a threat actor group known for its malicious activities, primarily involving ransomware attacks. The group has been particularly active in 2024, exploiting bugs in JetBrains TeamCity software to launch its attacks. This method of attack has caused significant disruptions and data breache	Unspecified	2
The Scattered Spider Threat Actor is associated with Qilin. Scattered Spider is a notorious threat actor group known for its malicious cyber activities. The group primarily targets enterprise data within Software as a Service (SaaS) applications, including less sophisticated outfits and more well-known systems such as Microsoft cloud environments and on-prem	Unspecified	2

Source Document References

Information about the Qilin Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	23 days ago	28th October – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine	a month ago	RansomHub Overtakes LockBit as Most Prolific Ransomware Group
Securityaffairs	2 months ago	Security Affairs newsletter Round 491 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	Security Affairs newsletter Round 490 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	2 months ago	Infostealers: An Early Warning for Ransomware Attacks
Securityaffairs	2 months ago	Qilin ransomware attack on Synnovis impacted over 900K patients
DARKReading	2 months ago	Socially Savvy Scattered Spider Traps Cloud Admins in Web
Malwarebytes	3 months ago	CODAC Behavioral Healthcare, US Marshalls are latest ransomware targets \| Malwarebytes
Checkpoint	3 months ago	26th August – Threat Intelligence Report - Check Point Research
Securityaffairs	3 months ago	Qilin ransomware steals credentials stored in Google Chrome
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
InfoSecurity-magazine	3 months ago	#BHUSA: 17.8m Phishing Emails Detected in First Half of 2024
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
BankInfoSecurity	4 months ago	Synnovis Attack Halts 8,000 NHS Patient Procedures So Far
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	4 months ago	Qilin Ransomware’s Sophisticated Tactics Unveiled By Experts
Securityaffairs	4 months ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal